Unable to use email feature in Quickbooks on Terminal Server without being power user or above.

The situation is this. I have Metaframe XP running on Windows 2000 Server with Quickbook Enterpise Solutions as the published application. Recently I have had a user who wanted to use the email feature in Quickbooks, which seems to call a regular Windows mail profile to choose and then opens Outlook with a form attached (Invoice, Statement,...etc) in PDF format.

In order for this to work, I had to add the User to the local Power Users group on the Metaframe Server. By doing this it gave him access to view but not print to every other users auto-created printer. This is normal in a Terminal Server environment but is unacceptable as he is able to view printers in Quickbooks from companies other than his own.

When the user is just part of the Domain Users group he doesn't see anyones printers except his own. But when the email button in Quickbooks is executed nothing happens. No error messages, nothing.

So, please help me find a way to have this users access the email feature without being part of a group with elavated privliges. It seems to me that the email feature calls upon files and registry entries needed to be written to or read from that requires a user with power user or above privleges.
Thanks
Mike

I've been slugging it out with quickbooks on this very issue and here is what I have:

According to Quickbooks users have to be a member of the Power Users group for it to work
(I agree it is absolutely insane, I've spoken to MS and Quickbooks and they both point the finger at the other)

One other thing that I have come across is that applying the compatws.inf security template can open up the registry for legacy (aka poorly designed). I haven't tried this on my machine yet as it is already in production but it sounds promising. If it doesn't work you can always import a higher security template.

I feel your pain on this one. Let me know if you need any help of clarification.
Crow

I will look into your post and excellent suggestions first chance I get and will let you know how I make out. It's comforting to know that there is someone else out there with a successfull TS/Quickbooks install to get help from. And, oh yeah, share the pain with.

Ok, I have the batch file setup to run at logon with a scheduled task under the admin account. I couldn't see the output of the subinalc command but I tested it by applying the power user group to an auto-created printer from my local PC. After running the batch file the group was gone. So its working now. Thanks

I can still see everyone's printers while a member of power users. When I look at the security for all the auto-created printers from other users, I don't see any power users group. Before or after running the script.

Do I still see everyone's printers because I haven't yet run the script for them at their PC?

Negative, it should only have to be run on the Term Server. I had to schedule it as a recurring task (about every five minutes) because once a new user logs on, their printers populate on the term serv with the default groups (including power users). I've tried setting this script to run when the user logs on but the TS printers haven't populated at that time. This is one reason why I'm wondering if the compatws template will negate the need to put them in the Power Users group. This template won't do anything that can't be undone by applying a higher security template to the machine. It only effects the local machine and you can go into gpedit.msc (from the run dialouge box) after the fact and reverse any changes that are made. From the reading I've done it opens up the registry for applications that weren't designed with security in mind. The way I see it is you can compramise security by putting users in the Power Users group (with all the annoying things that go along with it) or you can do it by generally opening up the registry to users (and potentially avoid these headaches). Keep in mind that I have not personally tested the template for this particular issue but it sounds like the type of problem microsoft developed the template for.

I will look into link. I am worried it will remove permissions for Citrix and the Web Interface.

Regarding the printers. When I look at everyone's auto-created printers security, I don't see any power users group. The Security at each printer is the "user" who auto-created, Administrator and System. This has always been the case.
Do your clients auto-create printers? and when you see them on TS Server (before ever running script) did they have the power users group?

By default the power users on my terminal server have permissions on the ACL for any printer objects created on the machine (They also show up on the ACL). My clients are set up to have their printers autocreated/redirected when they log on to the server. I wonder is this is a difference between 2000 and 2003 or possibly an extra service that citrix provides. I have a spare 2003 box that I am going to set up as a term server and try the compatws trick to see if it will work (it sounds like you are running in a production enviroment as well). I'll take a note on the default behaviours and get back with you.

I've just checked two of my 2000 Citrix machines and have verified that the default behavior does not place the Power Users group on the ACL for the printer objects. I'm not sure if this is a 2000/2003 change or a citrix function. I'll let you know what results I get with compatws.

I am running in a production environment. I have been yelled at to much of late for anything else to go wrong.

One thing I have noticed is that when using the Email feature, QB calls on the "Intuit Internal Printer". Also I have run a tool that list the processess of what files are being accessed when the Email button is executed. QB calls upon spool.exe in order to send an email.

Finally figured it out! I couldn't get my mind wrapped around why the spoolsv.exe in the WINNT/system32 was being accessed when executing the email button.

Quickbooks is trying to access the "Intuit Internal Printer" which creates the PDF document that is to be emailed. None of my users have this printer in their TS sessions. As soon as I created the Printer, which is a local printer on the TS Server, email worked fine without any user needing to be in a Power Users grpup.

There is an executable (install.exe) in the Intuit directory that creates this printer. You must rename this printer from Ayumni....... to Intuit Internal Printer for the Email to work.

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…

With the emergence of Office 365 as a superior email communication platform, many organizations have started switching over to it. After migrating to Office 365, sometimes users, as well as organizations, will have to import PST files to Office 36…

How to fix display issue, screen flickering issue when I plug in
power cord to the machine.
Before I start explaining the solution lets check out once the issue how it looks like
after I connect the power cord. most of you also have faced this…